Bug 493157
Summary: | rpmbuild allows names and versions/releases like: ../../../ | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | seth vidal <svidal> |
Component: | rpm | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 10 | CC: | ffesti, jnovy, n3npq, notting, pknirsch, pmatilai, security-response-team, tcallawa |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 4.6.1-1.fc10 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-06-04 21:11:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
seth vidal
2009-03-31 20:02:25 UTC
Fixed upstream. ~,/ and .. are no more permitted in NVR. Fixed in rawhide now, keeping open for F10 tracking. Removing group restriction. FYI: the issue of wild characters in Name: was reported to a vendor-sec representative in December and fixed @rpm5.org by adding PCRE validation patterns for all tags, not just spot checking NVR. The issue is considerably more complex than, say, Name: ~; and can be exercised by any script, not just rpmbuild, that constructs file paths from RPM package tags. Not that vendor-sec is worth much these days ... Um, these issues are hardly fixed by preventing '/' and '~' and '..'. After 30 minutes of dinking, there are (some) of the flaws I found (note that I'm not even a professional "black hat", I'm quite sure that additional paranoia and malice might have reduced 30 minutes to something much less). For starters, ~ is unnecessary when Name: whatever;cd; is possible. And there are eval contexts with '<' available that make failing a build if/when a '/' is present pointless: Name: whatever;cd;cat<$SHELL>$'057'tmp$'057'myshell Note that similar but much more serious exploits are possible using /dev/tcp/HOSTNAME/PORT importing (and executing) a rootkit. I suggest that you commit to permitted character sets in specific tag contents and undertake explicit verification rather than fooling yourself with silliness like But you can't mention '/' or '~' or ".." in name/version/release! instead. It really isn't __THAT__ hard to add an explicit permitted character set in tag content like RPMTAG_NAME and RPMTAG_VERSION etc etc. YMMV. Have fun! rpm-4.6.1-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rpm-4.6.1-1.fc10 rpm-4.6.1-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update rpm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214 rpm-4.6.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |